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DETAILED ACTION 

1 . This action is in response to the Board Decision filed on 1 2/21 /201 0, which 
reversed claims 4-7 and 17, and affirmed claims 8-16. Claims 4-16 have been 
examined. 

Claim Rejections - 35 USC §101 

2. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

3. Claims 4-7 and 1 7 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

Claim 4 is drawn toward a system comprising an application framework, a first 
view, and access checking logic which is merely software, per se. As such, software, 
per se does not establish a statutory category of invention. 

Claims 5-7 and 17, which are dependent on claim 4, are rejected for similar 
reasons as stated above. 

Correction is required. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 



Application/Control Number: 10/759,409 Page 3 

Art Unit: 2454 

forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 4 and 1 7 are rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Schaeck et al. (hereinafter Schaeck)(U.S. Pub. No. 2003/0163513) in view of Soluk et 
al. (hereinafter Soluk)(U.S. Pub. No. 2006/0168152). 
Regarding claim 4, Schaeck teaches as follows: 

A system for programmatic role-based security in a dynamically generated user 
interface (methods, systems, and computer program products are disclosed for 
providing role-specific views from a business web portal which supports one or more 
aggregated web services. Users having particular roles can be programmatically 
presented with different views into an aggregated service, see, e.g., Abstract), the 
system comprising: 

an application framework configured through a deployment descriptor comprising 
a listing of a set of views (multiple role-specific views will be based on the services 
and/or information which are relevant to a particular role, see, e.g., paragraph [0043]) 
and a listing of associated program logic (the fine-grained services may include any 
form of programming logic, including script programs, Java.TM. classes, COM 
classes, EJBs ("Enterprise JavaBeans".TM.) ! stored procedures, IMS or other database 
transactions, legacy applications, and so forth, see, e.g., paragraph [0052]). 

a first view (interpreted as role-specific portal page) listed in said deployment 
descriptor and comprising a linkage to a second view (interpreted as composite service 
provided through the portal page) listed in said deployment descriptor (a portal page 
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which provides an entry point into the composite service is then presented to the user, 
see, e.g., paragraph [0084]); and, 

access checking logic disposed in said first view and programmed to omit said 
linkage where a role of an end user accessing said first view is not authorized to access 
said second view according to said listing of said set of authorized roles in said 
deployment descriptor (providing a view of the aggregated service which properly 
reflects the user's role across the set of sub-services, see, e.g., paragraph [0069]). 
Therefore the end user only get access to a set of sub-services (equivalent to 
applicant's second view) based on the user's role. 

Schaeck teaches of selecting a role-specific portlet based on user's role 
determined from a profile repository (see, e.g., paragraph [0082]) but not teach of a 
listing of a set of authorized roles for selected ones of said views. 

Soluk teaches as follow: 

Identifying one or more roles associated with a target server and displaying a list 
of the identified roles to the user. This listing may include the name of the target server 
and the roles that are associated with the target server (equivalent to applicant's 
listed roles for selected views). The user may use a mouse or other pointing device to 
select a particular role from the list of roles (see, e.g., paragraph [0046]). 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Schaeck with Soluk to include the method or system of presenting a 
list of roles associated with the selected target server as taught by Soluk in order for the 
user to select a particular role from the list of roles. 
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Regarding claim 17, Schaeck teaches as follows: 

Wherein said access checking logic is programmed to display said linkage where 
a role of the end user accessing said first view is authorized to access said second view 
(the selected role-specific portlet only provides access to sub-services for those who are 
authorized based on the user's role, see, e.g., paragraph [0020]). 

6. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over Schaeck 
et al. (hereinafter Schaeck)(U.S. Pub. No. 2003/0163513) in view of Soluk et al. 
(hereinafter Soluk)(U.S. Pub. No. 2006/0168152) as applied to claim 4 above, and 
further in view of Schenk (U.S. Pub. No. 2006/0004887). 

Regarding claim 5, Schaeck in view of Soluk teaches all the limitations except for 
using Struts framework as the application framework incorporating the JSPs. 

Schenk teaches as follows: 

A configuration file is used to configure the presentation of an object (see, e.g., 
page 2, paragraph [0015]); and 

Java server pages can be generated with Struts framework, as open source 
framework of utilizing pre-stored design patterns (see, e.g., page 2, paragraph [0017], 
lines 15-19). 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Schaeck in view of Soluk with Schenk to include Struts framework 
as an application framework incorporating the JSPs as taught by Schenk in order to 
facilitate the development of JSPs applications. 
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7. Claims 6 and 7 are rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Schaeck et al. (hereinafter Schaeck)(U.S. Pub. No. 2003/0163513) in view of Soluk et 
al. (hereinafter Soluk)(U.S. Pub. No. 2006/0168152) as applied to claim 4 above, and 
further in view of Dubois et al. (hereinafter Dubois)(U.S. Pub. No. 2002/0154646). 

Regarding claim 6, Schaeck in view of Soluk does not teach of the program logic 
comprises servlets and wherein said views comprise Java server pages (JSPs). 

Dubois teaches as follows: 

The SPE is a password-protected, Web-based application framework for 
executing user data provisioning applications. The SPE application consists primarily of 
servlets to provide the program logic and Java Server Pages to provide the 
presentation logic (equivalent to applicant's views)(see, e.g., paragraph [01 19]). 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Schaeck in view of Soluk with Dubois to include servlets and Java 
Server Pages as taught by Dubois in order to efficiently provide the program logic and 
presentation logic respectively. 

Regarding claim 7, Schaeck teaches as follows: 

Said first view (interpreted as portlet page provided to the user) for invoking said 
access checking logic and for omitting said linkage responsive to said access checking 
logic (the selected role-specific portlet shows available linkage based on the user's role, 
see, e.g., paragraph [0020]). Therefore the portlet page automatically omits the linkage 
not available based on the user's role. 
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Soluk teaches as follows: 

Displays a list of the identified roles to the user and the user may use a mouse or 
other pointing device to select a particular role from the list of roles (see, e.g., paragraph 
[0046]). The examiner interpreted the custom tag as displaying options for user to 
select among list of roles. 

Therefore, it is rejected for similar reason as presented above in claim 6. 

8. Claims 8-1 6 are rejected under 35 U.S.C. 1 03(a) as being unpatentable over 
Bazinet et al. (hereinafter Bazinet)(U.S. Pub. No. 2003/0167298 A1), and further in view 
of Vasandani et al. (hereinafter Vasandani)(U.S. Patent No. 6,985,946 B1). 

Regarding claim 8 and 12, Bazinet teaches as follows: 

A method for programmatic user privilege based security in a dynamically 
generated user interface (see, e.g., abstract), the method comprising the steps of: 

authenticating access to a rendering of a selected view based upon an end 
user's privileges (access privileges of the authenticated user) requesting access to said 
selected view (see, e.g., step 414 in figure 4 and page 3, paragraph [0037]); 

processing said selected view to identify a method call to access checking logic 
(see, e.g., steps 422-434 in figure 4 and page 4, paragraphs [0042]-[0044]); and 

disposing a link to said different view in said rendering of said selected view 
conditional upon said role matches a role in said set of roles (the privilege stored in the 
portal generic objects database)(the portal application generate a page to the client 
containing entries corresponding to the backend applications that the authenticated user 
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can access based on the access privileges of the authenticated user, see, e.g., page 3, 
paragraph [0038] and step 416 in figure 4). 

Bazinet does not teach role based security access and following steps of using it 
but all limitations with user's privilege based security access. 

Vasandani teaches as follows: 

Providing role based access security within a networked computing system (see, 
e.g., col. 2, lines 40-43); 

the method for providing an authentication and authorization pipeline having a 
userlD-roles database and a resource- roles database for use in a web server to grant 
access to web resources to users (see, e.g., col. 2, line 58 to col. 3, line 9); and 

comparing said role (userlD-roles object, 21 1 in figure 4) to a set of roles 
(roles/access database, 422 in figure 4) authorized to access a different view 
(requested resource) associated with said access checking logic (the roles authorization 
module retrieves the database entry for the requested resource using the URI and 
attempts to match a role from the userlD-roles object with the roles in the roles/access 
database entry, see, e.g., col. 8, lines 1-4). 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Bazinet to include the method of role based security access as 
taught by Vasandani in order to efficiently control security access by the user's roles 
predefined. 

Regarding claims 9-1 1 and 13-15, Vasandani teaches as follows: 
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Said step of authenticating comprises the step of comparing said role (userlD- 
roles object, 21 1 in figure 4) to a set of roles (roles/access database, 422 in figure 4) 
associated with said selected view to locate a match for said role (the roles 
authorization module retrieves the database entry for the requested resource using the 
URI and attempts to match a role from the userlD-roles object with the roles in the 
roles/access database entry, see, e.g., col. 8, lines 1-4); 

said locating step comprises the step of parsing a deployment descriptor 
(roles/access database, 422 in figure 4) for an application framework hosting said 
selected view and said different view to identify said set of roles (this is inherent process 
for authorization module 202 in figure 4, see, e.g., col. 7, line 53 to col. 8, line 11); and 

said processing step comprises the step of invoking external access checking 
logic for a located server page tag referencing said access checking logic (this is 
inherent process for authorization module 202 in figure 4, see, e.g., col. 7, line 53 to col. 
8, line 11). 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Bazinet to include the method of role based security access as 
taught by Vasandani in order to efficiently control security access by the user's roles 
predefined. 

Regarding claim 16, Bazinet teaches as follows: 

A method for programmatic user privilege based security in a dynamically 
generated user interface (see, e.g., abstract), the method comprising the steps of: 
configuring a deployment descriptor (portal generic objects database, 203 in 
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figure 2)(populating a portal generic object database, see, e.g., page 3, paragraph 
[0032]); and 

composing a server page to include a reference to said external access checking 
logic and to invoke said external access in order to conditionally incorporate a link to a 
specific view associated with a specific set of authorized roles (the portal application, 
102 in figure 1 and 502 in figure 5, generates a page to the client containing entries 
corresponding to the backend applications, see, e.g., page 3, paragraph [0038]). 

Vasandani teaches as follows: 

Providing role based access security within a networked computing system (see, 
e.g., col. 2, lines 40-43); 

the method for providing an authentication and authorization pipeline having a 
userlD-roles database and a resource-roles database for use in a web server to grant 
access to web resources to users (see, e.g., col. 2, line 58 to col. 3, line 9); and 

programming external access checking logic to match a parameterized role 
(userlD-roles object, 21 1 in figure 4) with a role disposed in said set of roles in said 
deployment descriptor (roles/access database, 422 in figure 4)(the roles authorization 
module retrieves the database entry for the requested resource using the URI and 
attempts to match a role from the userlD-roles object with the roles in the roles/access 
database entry, see, e.g., col. 8, lines 1-4). 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention to modify Bazinet to include the method of role based security access as 
taught by Vasandani in order to efficiently control security access by the user's roles 
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predefined. 
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Conclusion 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jeong S. Park whose telephone number is (571)270- 
1597. The examiner can normally be reached on Monday through Friday 9:00 - 5:30 
EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Joseph E. Avellino can be reached on 571-272-3905. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/J. S. P.I 
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March 4, 201 1 

/Joseph E. Avellino/ 

Supervisory Patent Examiner, Art Unit 2454 



